Re: Problems with state syncronisation

[Andrea Mistrali]

Il giorno 14 feb 2005, alle 18:06, Ryan McBride ha scritto:
On Mon, Feb 14, 2005 at 10:20:44AM +0100, Andrea Mistrali wrote:
Those lines are always relative to broadcast addresses.
What can it be?
If a packet reaches both firewalls, they will both create state; when
they each recieve the state creation message from the other, the state
already exists and the insertion fails.
You can ignore the messages, or modify your ruleset so that broadcast
packets don't create synchronised states.

Yeah! You're right! How stupid I'm :))
Thanks
Andrea

blocking IP range Q

[Dominic Opferkuch]

Hello 

I need to block certain IP's on my webserver. Can
anyone point out how to do that.

Here the IP address range I need to block 

  (*-ed out the first three digits)
***.139.192.0 --***.139.223.255

Thanks for the help friends

Dom



__ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

Borrow not working

[Alexandre Ilha]

Hello, everybody.
We've been trying to get borrow to work for us, but despite our 
reading every reasonable piece of documentation, messages in this list 
and several web pages - trying to find a solution, it's still not 
working. We also tried to use the same PF configuration on BSD 3.3 and 
3.6,  with no success.

Our pf.conf follows. It's a simple setup that intends to share 1MB of 
the available bandwidth between two hosts, guaranteeing a mimimum of 
256Kbps for each. The issue is that even when all the bandwith is 
available, downloads won't borrow from the parent, as expected, and, 
therefore, won't go faster than 512Kbps.

# 
-
# Connections

# fxp0 - 10.0.5.0/24  - LAN
# xl0   - 10.0.0.200  - Ext
# 
-
# Definitions: Interfaces

lan_if = fxp0
lan_gw = 10.0.5.1
ext_if  = xl0
ext_gw  = 10.0.0.200
# 
-
# Firewall Options

set limit { states 10, frags 5000 }
set loginterface $lan_if
scrub in all fragment reassemble no-df
# 

# Queue

altq on $lan_if bandwidth 10Mb cbq queue { std_down, ext_down }
   queue std_down bandwidth 1024Kb cbq(default)
   queue ext_down bandwidth 1024Kb { lan_down_1, lan_down_2 }
   queue lan_down_1 bandwidth 512Kb cbq(borrow)
   queue lan_down_2 bandwidth 512Kb
# 
-
# NAT

nat on $ext_if from $lan_if:network to any -  ($ext_if)
# 
-
# Filter

# Default policy: block all traffic
block log all
# Allow loopback communication
pass quick on lo0 all
# 
-
# Filter

pass in on $lan_if proto tcp \
   from $lan_if:network to any flags S/SA modulate state
pass in on $lan_if proto { udp, icmp } \
   from $lan_if:network to any keep state
# For Machine 1
pass in on $lan_if proto tcp \
   from 10.0.5.100 to any flags S/SA modulate state queue lan_down_1
pass in on $lan_if proto { udp, icmp } \
   from 10.0.5.100 to any keep state queue lan_down_1
# For Machine 2
pass in on $lan_if proto tcp \
   from 10.0.5.101 to any flags S/SA modulate state queue lan_down_2
pass in on $lan_if proto { udp, icmp } \
   from 10.0.5.101 to any keep state queue lan_down_2
# Destination: This Host
pass in on $lan_if from $lan_if:network to ($lan_if) keep state
pass in on $ext_if from $ext_if:network to ($ext_if) keep state
# Outbound Traffic Rules
pass out on $ext_if inet proto tcp \
from any to any flags S/SA modulate state
pass out on $ext_if inet proto { udp, icmp } \
from any to any keep state
# 
-

Any help would be VERY appreciated.
Thanks a lot.
Alexandre Ilha
Network Administration
TeleHUMANA Communications
http://www.telehumana.com.br
P.S.: The system that pf.conf is used on is _not_ my production 
firewall, so please don't flame me with that 'it's dangerous' talk... :-)

Re: blocking IP range Q

[Kim Esben Jørgensen]

Sorry the CC: was incorrect.
Kim Esben Jørgensen wrote:
Hi Dominic
Dominic Opferkuch wrote:
Hello
I need to block certain IP's on my webserver. Can
anyone point out how to do that.
Here the IP address range I need to block
 (*-ed out the first three digits)
   ***.139.192.0 --***.139.223.255
Thanks for the help friends
Dom
 

Convert to CIDR blocks.
Perpahs you can use
http://search.cpan.org/~mrsam/Net-CIDR-0.10/CIDR.pm
i did.

--
Mvh.
Kim Esben Jørgensen

bridging, inbound load balancing CARP

[Kevin]

Hi all,

After some serious head scratching, lots of searching, and much brow
furrowing, I can't find an answer to this simple question about
bridges and load balancing with OpenBSD:

Can one do inbound load balancing between a couple of web servers
(box01  box02) when running two OBSD machines as bridging firewalls
w/CARP on the front end? If not, is there some other way (without
having the ISP route our /24 for us) for us to pull this off?

FWIW in the present scenario below, I'm pointing to 208.12.17.225 with
all our machines in /etc/mygate.

The network looks like this:

   INTERNET
  /|\
   |
 [ISP's ROUTER] (208.12.17.225/32-- Part of 208.12.17.224/29.))
  /|\
   |
 [MY SWITCH01]
 /   \
/ \
 [gw1][gw2]   (OBSD bridges 208.12.17.226  .227-- Part of
208.12.17.224/29.)
  /|\ /|\
   |   |
 [MY SWITCH02]
  /|\ /|\
   |   |
[box01]   [box02]   (208.19.20.25  208.19.20.27--Part of 208.19.20.0/24)

Thanks so much for your $.03 on this everyone.

Kevin




-- 
http://www.ebiinc.com : 
Employee Background Screening from EBI
A leader in corporate background checks, worldwide.

Re: Can't even do an ls on a FTP server located on the WAN

[Nicolas]

On Mon, Feb 14, 2005 at 10:53:44PM -0600, eric wrote:
 On Tue, 2005-02-15 at 00:12:59 +0100, Nicolas proclaimed...
 
  I'm trying to connect to an FTP server located on the WAN, from a box
  which is located in my local network.
  
  But I can't even do an ls. I can connect, but then, I can't do anything
  on the FTP server.
 
 Post your pf.conf.

Unfortunately, the floppy disk is broken on my bastion. Since the
pf.conf is around 15ko, I'll avoid typing it... ;-)
However, here's the rule I added for the FTP:

pass in quick on $name_itf_ext inet proto tcp from port 20 to
($name_itf_ext) user proxy flags S/SA keep state

Here are the tcpdump -n -e -ttt -r /var/log/pflog output when I try to
connect to the FTP server located on the WAN, from my client:

Feb 15 19:57:10.770100 rule 0/0(match): block in on ep0:
213.246.62.4.36105  192.168.14.26.113: S 3830247271:3830247271(0) win
5840 mss 1420,sackOK,timestamp[|tcp} (DF)
Feb 15 19:57:13.768532 rule 0/0(match): block in on ep0:
213.246.62.4.36105  192.168.14.26.113: S 3830247271:3830247271(0) win
5840 mss 1420,sackOK,timestamp[|tcp] (DF)

Here's what appear on the screen, also:

Feb 15 19:58:36 bastion ftp-proxy[28303]: connect() failed (No route to
host)

Here's the gftp output when I try to connect to the FTP server (which is
ftp.europephoto.com):

Recherche de ftp.europephoto.com
Essai avec heb62004.ikoula.com:21
Connecté sur ftp.europephoto.com:21
220 ProFTPD 1.2.9 Server (ProFTPD) [heb62004.ikoula.com]
USER 
331 Password required for .
PASS 
230 User  logged in.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to I
PWD
257 / is current directory.
Loading directory listing / from server ([EMAIL PROTECTED])
PASV
227 Entering Passive Mode (192,168,14,26,206,94)
LIST -aL
Déconnexion de l'hôte ftp.europephoto.com
Invalid response '

Here's a line for ftp-proxy in /etc/inetd.conf:
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
frp-proxy -n -D 3

Here's what written in /var/log/daemon:
Feb 15 19:57:10 bastion ftp-proxy[28303]: accepted connection from
192.168.11.26:34681 to 213.246.62.4:21
Feb 15 19:58:36 bastion ftp-proxy[28303] connect() failed (No route to
host)

=( I sent an email to ikoula.com, which host my website and the ftp
server. I asked them what passive ports are defined in their
proftpd.conf file. They told me it's the port 21, but I'm not quite sure
they clearly understood what information I asked for... :-/

The REALLY strange thing is that I can connect to any other FTP server,
including ftp.debian.fr. Moreover, I never had to set up ftp-proxy on my
OpenBSD bastion to access FTP servers located on the WAN, from my LAN
computer. I set it up yesterday, because I thought it could solve my
problem with connecting to ftp.europephoto.com... :-/

By the way, I use OpenBSD 3.5.

Do you have any idea?
Don't hesitate to ask me for any other information you could need.

Thank you for your help.

Nicolas, Paris.

-- 
--- OxStOnE --  O
- Z750  Linux ---  ._ /\_
--- Powered --  (x) (x)

Re: blocking IP range Q

[Jason Opperisano]

On Tue, Feb 15, 2005 at 09:42:40AM -0800, Dominic Opferkuch wrote:
 Hello 
 
 I need to block certain IP's on my webserver. Can
 anyone point out how to do that.
 
 Here the IP address range I need to block 
 
   (*-ed out the first three digits)
 ***.139.192.0 --***.139.223.255
 
 Thanks for the help friends

generically:

  block drop in quick inet from ***.139.192.0/19 to any

-j

--
English - Who needs that? I'm never going to England!
--The Simpsons

Good HFSC explanation

[Bob]

Is there a clear HFSC explanation somewhere, with real simple examples? 
Preferably that apply directly to PF which uses three SC types, not two.

I've found plenty of documents, but they're all high-level overview 
slideshows that are a bit hard to fathom.
-- 
Bob

Re: altq fishiness

[Bob]

Jason Murray wrote:

 As I understand it the two child ssh queues should just use up all the 
 bandwidth from the parent.

I couldn't get CBQ to use up all of the bandwidth. Even when only one 
queue had any traffic, the bandwidth was never getting saturated.

Possibly (probably) it was something I was doing wrong. But I've changed 
to HFSC now, and my broadband line is saturated with traffic. So I'm happy.

I have to admit, though, that I couldn't find any simple explanation of 
HFSC with regard to PF, so I had to guess my way through setting it up.
-- 
Bob

Re: using altq for rate limiting on certain ports across multiple

[Bob]

darren david wrote:

 My /guess/ is that i need 2 queues - one on $EXT_IF inbound and one on 
 $PRIV_IF outbound. Or perhaps i simply need to be tagging packets? 
 $PRIV_NET is NATed, as one might expect.

You seem to be confused, as I was, about the possibilities of the queue 
mechanism.

You cannot queue packets coming into your firewall / shaper. Once they 
have arrived, it is too late to ask them not to arrive. No doubt your 
ISP is using queuing of some sort, but you have no influence over that.

So, first of all, you need to realise that you can only queue stuff 
*leaving the firewall*.

Secondly, now you know this, you need to realise that you needn't 
consider queues that affect both interfaces. It's not possible to have a 
queue that affects an internal and external interface (because you 
cannot queue packets entering the firewall), so you don't need to worry 
about trying to accomplish this.

If what you are hoping to do is limit the download bandwidth of a 
machine on $PRIV_NET, for instance $dev_box, you just limit the rate 
that $dev_box can draw packets out of the firewall. Which requires only 
a queue that affects $PRIV_IF, because (sing along now) you cannot 
affect the rate at which packets are received from your ISP.

If you want to limit the upload rate of $dev_box, then you want a queue 
that acts on $EXT_IF. Because NAT is working on $EXT_IF, you will not be 
able to check the local address of packets on $EXT_IF, so if you need to 
limit the upload rate of a specific private address, tag those packets 
using a rule that acts on the internal interface. Tags in PF remain the 
whole time the packet is in the firewall, and are not transmitted 
outside of the firewall.

Because of what is described above, it is probably not possible to 
precisely limit the download rate of the firewall machine (when 
downloading CVSup data, for instance). It might be possible to reduce 
the downstream bandwidth the firewall uses by limiting its upstream 
bandwidth (which is tricky because a packet can only be tagged once), 
but unless your firewall is likely to be downloading a lot, it's 
probably unnecessary to do so.

Hopefully I haven't confused you worse than before. I've just finished 
(well, tinkering continues) configuring my PF firewall, so for the 
moment I'm full of wisdom that will quickly fall out of my spongy brain.
-- 
Bob

Re: Good HFSC explanation

[Mike Belopuhov]

On Fri, Feb 11, 2005 at 15:39 +, Bob wrote:
 Is there a clear HFSC explanation somewhere, with real simple examples? 
 Preferably that apply directly to PF which uses three SC types, not two.
 
 I've found plenty of documents, but they're all high-level overview 
 slideshows that are a bit hard to fathom.
 -- 
 Bob

Search the archives of this list for ``Specific HFSC questions'' thread.
Jared did a lot of work, thanks.

Re: Good HFSC explanation

[jared r r spiegel]

On Fri, Feb 11, 2005 at 03:39:17PM +, Bob wrote:
 Is there a clear HFSC explanation somewhere, with real simple examples? 
 Preferably that apply directly to PF which uses three SC types, not two.
 
 I've found plenty of documents, but they're all high-level overview 
 slideshows that are a bit hard to fathom.

  i myself am still learning about HFSC, and experimenting, however
  if you search pf list archives for 'jared hfsc', you can see a lot
  of posts by me or in re: to me about HFSC.

  of note:

http://marc.theaimsgroup.com/?l=openbsd-pfm=105691519510241w=2
http://marc.theaimsgroup.com/?l=openbsd-pfm=107936788832658w=2
http://marc.theaimsgroup.com/?l=openbsd-pfm=110488079304643w=2

  jared

-- 

[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]

Re: altq fishiness

[jared r r spiegel]

On Thu, Feb 10, 2005 at 07:59:31PM +, Bob wrote:
 
 I couldn't get CBQ to use up all of the bandwidth. Even when only one 
 queue had any traffic, the bandwidth was never getting saturated.
...
 Possibly (probably) it was something I was doing wrong. But I've changed 
 to HFSC now, and my broadband line is saturated with traffic. So I'm happy.
  
  remove 'red' and see if it saturates the bandwidth of the queue.

  red is something i liked the sound of, but stopped using because i 
  think i didn't understand fully its implications on a bandwidth-queue.

  afaict, if red is on a cbq(/hfsc?) queue which is designed as a bandwidth
  partition, the bandwidth consumed by the queue will never reach the
  cap, but will be reduced with some calculus asymptote lines or something
  as it approaches it.  could be way wrong too - i'm going on my interpretation
  of the effect it had on queues as i watched/tested them.

 I have to admit, though, that I couldn't find any simple explanation of 
 HFSC with regard to PF, so I had to guess my way through setting it up.

  hfsc has a very steep learning curve, but i believe that is partially
  its nature.  for me it seems it demands you get your head around it, 
  rather than trying to be a bit easier to understand and missing a bit
  of the picture.

  the crossbow site is excellent for this, but seems to take several
  reads through to sink in fully.

  jared

-- 

[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]

Re: Borrow not working

[Bob]

Alexandre Ilha wrote:
 Hello, everybody.
 
 We've been trying to get borrow to work for us, but despite our 
 reading every reasonable piece of documentation, messages in this list 
 and several web pages - trying to find a solution, it's still not 
 working. We also tried to use the same PF configuration on BSD 3.3 and 
 3.6,  with no success.

I couldn't get the CBQ scheduler (I'm in FreeBSD 5.3 which I believe 
uses the same underlying code as OpenBSD - ALTQ) to share out bandwidth 
reliably.

It wouldn't use all the bandwidth available, even if there was only one 
queue in use.

I switched to the HFSC scheduler, and I'm very happy with it. I haven't 
been able to find any decent documentation for it with specific regard 
to PF, but I read enough theoretical overview documents to have a bit of 
a clue. Seems a shame not to have a good document for PF and HFSC, though.
-- 
Bob

A PF lecture/tutorial - work in progress

[Peter N. M. Hansteen]

Hi,

I've completed an English version of my PF lecture manuscript (with slight
updates) originally written for a 1 1/2-2 hour session at BLUG.

The material is available in various formats, 

English:

http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf (full manuscript, pdf)
http://www.bgnett.no/~peter/pf/en/ (full manuscript, html)
http://www.bgnett.no/~peter/pf/en/foils/ (foils, html)

Norwegian:

http://www.bgnett.no/~peter/pf/no/pf-brannmur.pdf (full manuscript, pdf)
http://www.bgnett.no/~peter/pf/no/ (full manuscript, html)
http://www.bgnett.no/~peter/pf/no/foils/ (foils, html)

At this point I'm not confident it's publishing quality, but I'd love to
hear comments of any kind.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales

Re: Can't even do an ls on a FTP server located on the WAN

[jared r r spiegel]

On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote:
  
  Post your pf.conf.
 
 Unfortunately, the floppy disk is broken on my bastion. Since the
 pf.conf is around 15ko, I'll avoid typing it... ;-)

  can you ftp/scp it off and just post on the www somewhere?
  that sometimes seems to fly for things very large.


 Feb 15 19:57:10.770100 rule 0/0(match): block in on ep0:
 213.246.62.4.36105  192.168.14.26.113: S 3830247271:3830247271(0) win
 5840 mss 1420,sackOK,timestamp[|tcp} (DF)
 Feb 15 19:57:13.768532 rule 0/0(match): block in on ep0:
 213.246.62.4.36105  192.168.14.26.113: S 3830247271:3830247271(0) win
 5840 mss 1420,sackOK,timestamp[|tcp] (DF)

  that looks like they're pulling an ident lookup on you.

$ grep 113 /etc/services
auth113/tcp authentication tap ident

  don't know offhand if that's where it is dying., given the timestamps, 
  i don't think so, as they pull an indent on you upon the initial 
  connection, not upon your LIST.
 
 Here's what appear on the screen, also:
 
 Feb 15 19:58:36 bastion ftp-proxy[28303]: connect() failed (No route to
 host)

  so if ftp-proxy can talk to 213.246.62.4:21 from 192.168.11.26...
 
 Here's what written in /var/log/daemon:
 Feb 15 19:57:10 bastion ftp-proxy[28303]: accepted connection from
 192.168.11.26:34681 to 213.246.62.4:21
 Feb 15 19:58:36 bastion ftp-proxy[28303] connect() failed (No route to
 host)

  i'm wondering why it is trying to make a connection out on a 
  different socket pair?  i'm thinking that however pf is setup, it is
  probably allowing out the first connection from ftp-proxy; that it is
  failing on that second part makes me wonder about what connection
  really was blocked; would have to be an outgoing one from ftp-proxy
  to somewhere.  if it was incoming, and was blocked, ftp-proxy wouldn't
  know.

  try to see if there's something in the /var/log/pflog you skipped?

 Here's a line for ftp-proxy in /etc/inetd.conf:
 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
 frp-proxy -n -D 3

  for active mode connections, you would need to allow in pf, say, 
  'from tcp remote ftp IP port 20 to $intIf:network user proxy'., but
  that rule is only for active connections, doesn't matter for passive.

 However, here's the rule I added for the FTP:
 
 pass in quick on $name_itf_ext inet proto tcp from port 20 to
 ($name_itf_ext) user proxy flags S/SA keep state
 
  ok, that's that..  are you blocking everything by default on 
  bastion, not just inbound?  is there a chance that the connection
  from ftp-proxy back to your LAN was blocked?

  jared

-- 

[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]

Re: Can't even do an ls on a FTP server located on the WAN

[Nicolas]

One more information:

When doing a netstat | more, I see that line:
tcp 0 0 192.168.14.26.62843 heb62004.ikoula..ftp CLOSE_WAIT

I killed ftp-proxy and restarted inetd, but I still get the same
problem.

Could my problem come from the fact that my network is like that:

[FTP CLIENT]--[DEBIAN]--[OBSD BASTION]-WAN[FTP SERVER]

The Debian machine does ftp masquerading, but I don't see anything
anormal on that machine.

The error message on the bastion, in /var/log/daemon, is:
ftp-proxy[18326]: connect() failed (No route to host)

What host is that? From the bastion, there're no problem at all with
routes to the Debian machine or the FTP server...

Please, do you have any solution?

Thank you.
Nicolas.

-- 
--- OxStOnE --  O
- Z750  Linux ---  ._ /\_
--- Powered --  (x) (x)

Re: Can't even do an ls on a FTP server located on the WAN

[Nicolas]

On Tue, Feb 15, 2005 at 06:50:51PM -0700, jared r r spiegel wrote:
 ...
  However, here's the rule I added for the FTP:
  
  pass in quick on $name_itf_ext inet proto tcp from port 20 to
  ($name_itf_ext) user proxy flags S/SA keep state
  
   ok, that's that..  are you blocking everything by default on 
   bastion, not just inbound?  is there a chance that the connection
   from ftp-proxy back to your LAN was blocked?

Jared,

You're right, everything is blocked by default on the bastion, not just
inbound but also outbound! What ports, hosts and direction should I
allow, in your opinion?

I now hope we're approaching a solution!

Your help is greatly appreciated!

Nicolas, Paris.

-- 
--- OxStOnE --  O
- Z750  Linux ---  ._ /\_
--- Powered --  (x) (x)